Inside the Star

CIRA's 'whois' policy a stunning setback for privacy

Two months ago, I wrote a glowing review of the Canadian Internet Registration Authority's new "whois" policy that was supposed to better protect the privacy of hundreds of thousands of Canadians. The column argued that the policy, which governs access to personal information of dot-ca domain name registrants, would serve as a model for other domain name registries around the world.

Two months ago, I wrote a glowing review of the Canadian Internet Registration Authority's new "whois" policy that was supposed to better protect the privacy of hundreds of thousands of Canadians. The column argued that the policy, which governs access to personal information of dot-ca domain name registrants, would serve as a model for other domain name registries around the world.

Apparently I spoke too soon. While dot-ca registrants across the country were being advised of the new policy, special interests representing law enforcement and trademark holders were quietly pressuring CIRA to create a back door that will enable these two groups to have special access to registrant information. Just days before the new policy took effect, CIRA caved to the behind-the-scenes pressure and took a major step backward in the implementation of its policy.

Several years in the making, the new whois policy was to have conformed with national privacy laws by providing individuals with increased privacy protection over public access to their personal information. CIRA promised to continue to collect the same contact information from registrants but it would no longer require that such information be publicly available through its whois directory. In its place, CIRA would only require the public disclosure of limited technical information, though individual registrants would be able to voluntarily "opt-in" to providing more personal information.

Changes to the policy were driven by privacy and spam concerns, with many registrants preferring to conceal their identity from the public (though CIRA and the domain name registrar responsible for the registration retain access to the personal information).

Moreover, registrants of controversial domain names, such as domains used for websites devoted to public criticism or political advocacy, often wanted to shield their personal information for fear of public censure. When the policy launched on June 10, the personal information was shielded from the general public, yet CIRA unexpectedly instituted the back-door approaches that grant access to both law enforcement and trademark interests.

In the case of law enforcement, police can bring cases to CIRA involving immediate risk to children or the Internet (such as denial-of-service attacks) and the agency will hand over registrant information without court oversight.

While it would have been preferable to disclose these exceptions earlier, they appear to be reasonably tailored to specific time-sensitive harm.

In the case of trademark holders (as well as copyright and patent owners), however, claims that a domain name infringes their rights will be enough to allow CIRA to again disclose registrant information. This represents a stunning about-face after years of public consultation on the whois policy.

The exception for trademark, copyright and patent interests undermines a crucial part of the whois policy, namely compliance with Canadian privacy law (the policy now arguably violates the law) and the appropriate balance between privacy and access.

For example, consider a Canadian who registers a dot-ca domain to be used as a whistleblower site about a company. The registrant may understandably wish to remain anonymous to the general public since disclosure of their personal information could lead to negative repercussions.

Under the new CIRA policy, if they use fake registrant information, they risk losing the domain. On the other hand, the back-door exception means that the trademark holder can easily uncover the identity of the registrant since CIRA will simply hand over this information.

CIRA has defended the changes by arguing that the policy will be reviewed in 12 months. Yet CIRA could just have easily retained the no-exception policy and reviewed its effect one year later.

More on thestar.com

We value respectful and thoughtful discussion. Readers are encouraged to flag comments that fail to meet the standards outlined in our
Community Code of Conduct.
For further information, including our legal guidelines, please see our full website
Terms and Conditions.